Today, I played a little with the new features of Windows Firewall. If you are familiar with the desktop firewall in Windows Vista, you already know the most important new features. There are, however, some server-related peculiarities.
First of all, you might ask, why a server needs a personal firewall, if all your servers are behind a gateway firewall, anyway. It seems superfluous to have another firewall running on the servers.
It is interesting to note that the firewall in Windows Server 2008 is activated by default. Only an upgraded Windows Server 2003 will maintain its operational state. It seems that Microsoft’s software engineers are thinking that Windows Firewall brings some extra security on servers, too.
I fully agree! Think of it as another line of defense. The more barriers you have, the more secure your network is. This corresponds to the general trend to enforce security inside the perimeter network. Please, check out a former discussion on 4sysops about the pro and contra for personal firewalls.
A disadvantage certainly is when one of your applications fails to work due to an incorrectly configured Windows firewall. However, this applies to all security measures. They make your network more complicated, therefore, more prone to errors.
Windows Server 2008 firewall has a nice feature which alleviates this problem. Whenever you add a new role to your server, the firewall is automatically configured, accordingly. For instance, if you configure your Windows server as a domain controller, the corresponding ports are opened automatically.
If you run third party applications on your servers, you have to configure the firewall yourself. For this, you have to use the “Windows Firewall with Advanced Security MMC snap-in“. You can launch it by typing “firewall” on the Start search prompt. You’ll also see the “simple” Windows Firewall tool from the Control Panel. This tool can only be used to disable the firewall and to enable exceptions for Windows programs.
It is also possible to remotely manage the firewall settings using the MMC snap-in on a Vista machine. But if you try to connect remotely to change the firewall settings, you’ll get the message “The Windows Firewall with advanced Security snap-in failed to load. Restart the Windows Firewall service on the computer that you are managing. Error code: 0X6D9“. Well, restarting the firewall service won’t help. What you really have to do is enable remote management:
Open a command prompt with admin privileges and enter: netsh advfirewall set allprofiles settings remotemanagement enable. This should also work on a Server Core system. It allows you to manage the firewall settings with much more comfort than on the command shell.
Like in Vista, the Windows Server 2008 firewall offers three different profiles: Domain, Private and Public. If a computer is a domain member, the location type is set automatically to Domain. It is not possible to change this setting. Only the firewall rules for the Domain profile apply then. If a computer is not in any domain, you can choose between the Private and the Public location types. You can change the location type in the Network and Sharing Center if you click on “Customize” beside the network connection.
The default setting for a Windows 2008 domain controller is “Public” and domain members can only use the Domain location type. Thus, on the domain controller, you will usually configure Public rules for third party applications and on domain members you will work with Domain rules. The difference between Private and Public doesn’t matter for servers in my view. I doubt that you will grab one of your servers and connect it at Starbucks to download some patches during your coffee break. You’ll find more information about the differences between the location types in the help file of Windows Firewall.
To disable or change other general settings of the firewall for a certain profile, you have to right click on “Windows Firewall with Advanced Security on Local Computer” and then choose “Properties”. Of course, you also can use Group Policy to configure Windows Firewall.
Like Vista, Windows Server 2008 also supports outbound filtering. By default, outbound connections are allowed, though. It probably is too much hassle to configure outbound filtering manually on server systems. Another change compared to the firewall in Windows Server 2003 SP1 is that IPsec rules can now be configured with the same snap-in. This certainly makes sense because it reduces the risk of conflicting settings.